[00:14.800 --> 00:23.940]  And we are live. All right. We are here in another QA session with Jake LaBelle, talking
[00:23.940 --> 00:31.580]  about ZOS and surrogate chains. Jake, would you like to tell us a little bit about yourself
[00:31.580 --> 00:34.580]  and how you got into mainframe hacking?
[00:35.520 --> 00:48.680]  Hi, I'm Jake. So I guess how I got into it, my company does some jobs in it. I was looking
[00:48.680 --> 00:52.240]  at some of the reports they wrote and I went, that looks pretty cool. Looked at some pictures
[00:52.240 --> 00:58.000]  of mainframes and was like, yep, that looks like my type of thing. And yeah, just jumped
[00:58.000 --> 01:04.660]  right into it. Yeah, it's, I don't know, I think it looks cool. And so I just went
[01:04.660 --> 01:05.280]  for it.
[01:05.280 --> 01:09.940]  That's awesome. And I believe this is your first time presenting at DEF CON, correct?
[01:10.260 --> 01:11.400]  Yep, first time.
[01:11.600 --> 01:19.060]  So we have a tradition here at DEF CON, whenever you do your first talk, we welcome you onto
[01:19.060 --> 01:29.380]  the big stage with a drink. This is for contributing content back to the community and answer,
[01:29.380 --> 01:35.220]  taking the time to answer questions. So cheers to you, Jake. Welcome to DEF CON.
[01:35.220 --> 01:41.760]  Cheers. I may be a little jealous with filling up my drink though, so...
[01:46.390 --> 01:47.430]  All right.
[01:48.670 --> 01:49.870]  Cheers.
[01:49.870 --> 01:57.430]  Yeah. So we've already got a few questions that have been going through the chat. You kind of
[01:58.030 --> 02:03.690]  already mentioned like what got you into hacking mainframes. So I'm going to go on to the next one.
[02:04.190 --> 02:09.270]  Most high security systems, security plans will have periodic audits of rights to make sure the
[02:09.270 --> 02:13.510]  former super user accounts cannot be taken advantage of. Your talk sort of goes into how
[02:13.510 --> 02:17.750]  these permissions get chained between users and how they're just sort of left alone.
[02:19.870 --> 02:24.570]  Do you encounter any of these issues in audits where you're like, you have to remove these
[02:24.570 --> 02:28.930]  accounts? Or is it pretty much a no-go on touching things?
[02:29.190 --> 02:34.050]  I guess you'll have like with an audit, you'll have like, for example, okay, well, we don't want to
[02:34.050 --> 02:41.650]  make some users access this special user, which is basically root. But what about that user which
[02:41.650 --> 02:46.930]  accesses that user? What about that user which has access to that user? That's not really...
[02:47.750 --> 02:52.950]  possible to audit. You don't really have the ability to... you don't really have the ability
[02:52.950 --> 02:56.750]  when you're... well, you probably could, but they probably should, but they don't.
[02:58.590 --> 03:04.630]  And this... can you use this technique that you had to like... at one point you show like this massive
[03:04.630 --> 03:11.690]  graph viz graph of nodes. It looks like you were able to fully enumerate all those chains.
[03:11.830 --> 03:15.030]  Could you extend that into some kind of like security auditing?
[03:16.490 --> 03:23.630]  Yeah, 100%. So someone else who worked at the company, he made like a tool which...
[03:24.630 --> 03:31.250]  so this one is more of like a... not an exploitation tool, but like one that you
[03:31.250 --> 03:35.710]  would use if you didn't have full access. But if you had full access, what you could do is you're
[03:35.710 --> 03:42.190]  allowed to... you can do what's called unloading the RACF databases, which is all the security.
[03:42.190 --> 03:46.730]  So you can just take that and then offline you can use that to create all the tools. But this
[03:46.730 --> 03:53.270]  one's more for... because if you didn't have access, so from your user, what can you access?
[03:53.270 --> 03:59.810]  But from offline, someone else at the company was making a tool which takes the RACF database,
[03:59.810 --> 04:03.590]  puts it into any SQL database, and then you can query it however you like.
[04:03.770 --> 04:09.710]  Well, that sounds handy. Someone else is asking,
[04:09.710 --> 04:13.690]  ZOS is tied to IBM. Do you think this could be applied to IBM I?
[04:14.810 --> 04:21.430]  I've never been on a IBM I. I need to be on an IBM I system just to see what it's like, but
[04:21.430 --> 04:25.410]  I've never actually been on it, so I have no clue what the security is on there.
[04:26.050 --> 04:33.530]  Fair enough. So I've got to say that my knowledge of mainframes is fairly weak.
[04:34.110 --> 04:38.630]  When you were at the beginning of your talk, you mentioned a couple... you mentioned partition
[04:38.630 --> 04:42.690]  datasets versus normal ones as if they were significantly different. Could you
[04:42.690 --> 04:50.630]  explain what the differences are in those? Yeah, so there's no such thing as folders in
[04:50.630 --> 04:56.230]  ZOS, so I don't know why, but they like to have a flat file system. So instead of having that,
[04:56.230 --> 05:05.510]  you have datasets, and then there's just... datasets can have multiple members in them,
[05:05.510 --> 05:10.830]  so it's kind of like... it acts like a folder, but they're all part of one single file.
[05:11.010 --> 05:18.930]  So it's... I don't know. It's how they do it. So we think of the partition dataset as kind of
[05:18.930 --> 05:26.010]  like a file inside of a folder, and the dataset's the folder. Yeah. Yeah. Close enough? Yeah.
[05:28.010 --> 05:33.170]  Okay, fair enough. When I was going through it, the first thing was like, okay, how do these
[05:33.170 --> 05:39.150]  correlate to Unix things? And then it was like, wait a minute, nothing correlates. So what am I
[05:39.150 --> 05:46.690]  doing? That's kind of where I was going to go with. But you did mention the OMVS subsystem,
[05:46.690 --> 05:54.190]  I believe it was, that is a Unix-like environment. How comfortable would someone that is Linux-centric
[05:54.190 --> 06:00.150]  feel inside this OMVS environment? It's basically exactly the same. The only thing is that
[06:00.150 --> 06:05.730]  once you're in that system, you can run anything on the mainframe as well. So you can just say,
[06:05.730 --> 06:13.030]  you can run a TSO, which is the normal mainframe part, and just go TSO, whatever script you were
[06:13.030 --> 06:17.750]  going to run in the mainframe thing. So it's exactly the same as any sort of Linux system,
[06:17.750 --> 06:24.490]  like all the privileges are the same, just you can also, if you have it, you also have access
[06:24.490 --> 06:34.410]  to that user's mainframe stuff. Okay. Got it, I think. So Jake, do you think your tool could
[06:34.410 --> 06:42.030]  work on ACF2 or TSS? Again, never been on that. I've only been on a couple of mainframe jobs.
[06:42.530 --> 06:53.730]  But if it allows surrogate submission, then yeah. So from my kind of understanding of what
[06:53.730 --> 07:02.110]  surrogates are, it's like a tree of delegated permissions, right? So you get this surrogate
[07:02.110 --> 07:06.050]  permission for another user, and then you are effectively gaining all the rights of them,
[07:06.050 --> 07:13.330]  right? So depending on what type of surrogate you give, so the main one is you'll have
[07:13.330 --> 07:20.170]  user.star in class surrogate, and that means that you can submit a job as user.star,
[07:20.170 --> 07:26.750]  but there's other type of ones you can have. But a lot of times, if you have surrogate and
[07:26.750 --> 07:33.010]  one person, you can do all the stuff from that. Like, for example, there's one that I had where
[07:33.010 --> 07:38.670]  you can, so surrogate, which allows you to write, to do su. But if you can do su, you can run any
[07:38.670 --> 07:45.950]  TSO command. So it basically means you have full privileges on their thing. Got it. So is it
[07:45.950 --> 07:49.910]  something that you have to like, generally you have to specifically invoke to get the other user's
[07:49.910 --> 07:55.850]  permissions? Or do they all just like get wrapped up into... So that's one of the things that why
[07:55.850 --> 08:03.370]  it required the tool was that you couldn't just... so if user1 had submit on user2, you couldn't
[08:03.370 --> 08:13.370]  just run user2 stuff. You have to run a job as user2, and that will get returned sometime later.
[08:13.370 --> 08:18.430]  So that's why the tool was required, is that you can't just run the... you don't have the privileges,
[08:18.430 --> 08:25.050]  you can submit a job as that user. But yeah. Okay. I actually think that I like literally have
[08:25.050 --> 08:28.430]  that in my head now. That's awesome. That was really well described.
[08:33.050 --> 08:40.140]  What are your thoughts on JCL? It's a great language. It's... what am I...
[08:41.740 --> 08:49.340]  Yeah, it's... it takes a while getting used to, because reading the IBM docs is... it's a skill in itself.
[08:49.340 --> 08:53.060]  Like, I think I've actually started to... it's really... I don't know if it's something I should
[08:53.060 --> 08:57.500]  be worried about, but I've actually started to be able to understand IBM documentation, and that's
[08:58.080 --> 09:06.540]  worrying me. That does sound a little concerning. I'm like, wait, wait, I get it now? But yeah, so it's...
[09:07.520 --> 09:12.940]  Yeah, so JCL is just a way to submit batch jobs, and yeah.
[09:13.680 --> 09:19.480]  Is there any kind of like tooling that makes like interacting with that kind of like languages
[09:19.480 --> 09:25.680]  easier? Or I know that like one of the current hot things is like building languages on top of languages.
[09:27.920 --> 09:35.820]  So yeah, the writing... like whenever I wrote my programs or any type of thing that I use,
[09:35.820 --> 09:40.360]  because it's just easier, it's the JCL. I don't really understand how... I don't really understand
[09:40.360 --> 09:45.880]  how you pass like parameters to it. So I just put it all in like one little REC script, and then it
[09:45.880 --> 09:50.840]  will just run itself. And then... so REC is like... it's just a scripting language. It's easy to use.
[09:50.840 --> 10:02.200]  So I just... yeah, that's... yeah, that's right. Yeah, it's just... what is it? JCLs, they just...
[10:02.200 --> 10:08.620]  there's lots of like programs that it can run that I have no clue what it does. But I know like...
[10:08.620 --> 10:13.780]  it feels like I now know like what the most important ones do. So that's fine.
[10:13.780 --> 10:22.560]  I mean, it's probably enough. Like if you know like 75% of most systems, you are very comfortable in that system.
[10:25.360 --> 10:30.600]  So Jake, have you made any other tools that kind of help to assist with mainframe hacking?
[10:30.600 --> 10:40.000]  Yeah, so I've got a couple which are varying in their usefulness. So I've got one which is...
[10:40.820 --> 10:47.620]  so the database for all the security is held. It's just a database. So if you have access...
[10:47.620 --> 10:52.300]  if you have write access to that, you have access to anything. So I created a quick tool which
[10:52.300 --> 11:00.040]  if you do have write access to it, it will just insert... it will look for your user, find the special flag
[11:00.040 --> 11:06.680]  and just turn it to one. So that's a tool which... it's very unlikely that you'll have access to that.
[11:06.680 --> 11:10.700]  Like that is something that is audited. So it's like, make sure that no one has access to this file.
[11:10.700 --> 11:16.680]  Because if they do, they have complete access to everything. What other tools? Oh, I made another...
[11:18.540 --> 11:23.680]  so a SOCKS proxy in REX. So that allows you to... if there's any like...
[11:25.860 --> 11:30.640]  so for example, if there's any like internal ports you want to hit, or if there's any like...
[11:31.440 --> 11:36.500]  because everyone trusts the mainframe, so why wouldn't you accept all the firewall stuff from that?
[11:36.500 --> 11:41.000]  So if there's anything you want to like hit from the mainframe, then there's a SOCKS proxy
[11:41.000 --> 11:48.040]  which you can just run in REX and then just pass on to any port that you can see from there.
[11:48.040 --> 11:54.500]  So REX is like... it's not just like a scripting language like bash, which just has like... consumes
[11:54.640 --> 11:59.180]  a bunch of tools. Like it is like a language. Like it's like fully capable of doing like
[12:00.220 --> 12:05.220]  hosting network sockets and stuff like that. Yeah, it can do... so REX, you can do anything
[12:05.220 --> 12:09.620]  you want to do. And there's also a... I don't really understand what the functionality is,
[12:09.620 --> 12:14.300]  but I know how to use it. So that's like... so if you run... if you write something called address...
[12:14.300 --> 12:19.020]  so for example, so if you want to write a TSO command, you write address TSO,
[12:19.020 --> 12:26.480]  and that means that any command you run in quotes runs as TSO. So the way I describe it is
[12:26.480 --> 12:30.180]  that you can run a program as another program, but I don't even know if that's actually what's
[12:30.180 --> 12:38.920]  happening. I just know that you can be like address DB2, which is an SQL database in IBM.
[12:38.920 --> 12:47.960]  And that will then run a command as DB2. So it's a fairly useful language. You can just be like,
[12:47.960 --> 12:53.120]  this program, I want to run this command. Yeah, it will do it.
[12:53.480 --> 12:59.620]  Cool. Mainframe is asking, could you talk a little bit more about TK4 and the difference
[12:59.620 --> 13:14.760]  between ZOS? So TK4 is... it's a beautiful thing. It's an open source mainframe from, well,
[13:14.760 --> 13:18.600]  for a public domain. I don't know what the actual term, like specific term is, but it's a...
[13:19.160 --> 13:24.120]  in 1980, they made a mainframe operating system, which is now in the public domain.
[13:24.760 --> 13:31.560]  And so it made some tools, they made from there, they've created TK4. And TK4 just allows you to
[13:31.560 --> 13:38.660]  just muck around with, I think I put it in my link in my presentation, but if you want,
[13:38.660 --> 13:44.840]  just download that, like TK4. You can run it off anything. I found it off a Raspberry Pi,
[13:44.840 --> 13:52.060]  so it's kind of fun. But yeah, if you want to run like, do like JCLs, you can install
[13:54.720 --> 13:59.820]  Rex on there. You can install Kix, but also not actually... this was actually one of the things
[13:59.820 --> 14:03.300]  in my presentation that like, I didn't know how to say, like, so there's something called
[14:04.760 --> 14:09.380]  Kix with a C, and then something called Kix with a K. And I was trying to say the difference
[14:09.380 --> 14:14.340]  between them. I was just like, so yeah, on my program, this has Kix, but this has Kix on here.
[14:14.340 --> 14:22.000]  And I was like, wait a minute, I've just said the same thing twice. But yeah, so K-I-C-X is
[14:22.220 --> 14:28.040]  a open source. If you want to muck around with Kix on there, which is one of the most, like,
[14:28.040 --> 14:33.860]  used thing on a mainframe, it's kind of like a web server-ish type of thing. It's...
[14:33.860 --> 14:37.940]  I don't know. There's no like equivalent to it, kind of. But yeah, if you...
[14:40.700 --> 14:43.300]  Yeah, TK4 is really good. If you want to just muck around with...
[14:44.140 --> 14:45.260]  Mainframe bits.
[14:45.680 --> 14:49.500]  Yeah. And it's completely open source. So muck around with that.
[14:50.180 --> 14:54.300]  Do you have... Do you know of any, like, good resources for, like, learning how to
[14:54.300 --> 15:00.600]  use and operate a mainframe? Because it's like coming into it cold, which is like booting up a
[15:00.600 --> 15:04.600]  Raspberry Pi image seems like...
[15:06.400 --> 15:11.960]  Yeah, yeah. The best place... Well, the thing is, is that this is 1980s, my mainframe. So even the
[15:11.960 --> 15:17.680]  IBM docs doesn't tell you what to do, how to do on this. So the kind of two places where it's
[15:17.680 --> 15:24.980]  the most... So on... There's a Mattermost community called mainframe.community.
[15:25.740 --> 15:30.200]  Super helpful. If you have any, like, stuff, asking questions on there, we'll get...
[15:31.120 --> 15:38.140]  We'll actually get questions answers instead of just being like, ask your SME how to do this.
[15:38.140 --> 15:43.240]  It's like, yeah. So mainframe.community, very good place for if you want to ask just, like, stuff.
[15:43.240 --> 15:49.920]  But yeah, some other places you might find that your questions don't get answered, but that's good.
[15:50.780 --> 16:00.200]  What other place? I think... So on my YouTube... There's this person called Moshix on YouTube.
[16:00.560 --> 16:04.320]  Very, very helpful on, like, TK4, like, how to install these things, how to...
[16:05.460 --> 16:08.720]  Yeah, how to do a lot of stuff on TK4.
[16:09.600 --> 16:11.080]  Oh, excellent.
[16:11.600 --> 16:17.720]  Now, was there anything for your research or even in your presentation that you didn't get to or
[16:17.720 --> 16:24.040]  that you wanted to look further into that you maybe will look more into in the future? Or
[16:24.720 --> 16:29.180]  you think it might be good if other people were to try to build upon what you've done?
[16:33.100 --> 16:37.240]  So... So on the surrogate chains, I've basically just done the... There's the
[16:37.240 --> 16:44.720]  star.submit privileges and the ppx.serve.star privileges. But, like, there's other surrogate
[16:44.720 --> 16:50.760]  classes. I don't really know how they work. But if they could all get... If, like... I don't know
[16:50.760 --> 16:56.320]  how... And also how... If those surrogate classes, other classes, can get you access to everything,
[16:56.320 --> 16:59.940]  then those should also be added to the program. Like, if that's... If there's, like, a...
[17:02.120 --> 17:05.860]  Yeah, if there's another surrogate that I've missed, then yeah, that definitely should be
[17:05.860 --> 17:11.320]  something that should be added. Is your... Have you, like, open sourced a tool? Is that publicly
[17:11.320 --> 17:17.760]  available at this point? Yeah, on GitHub, I've put my... I think I've... Yeah, I've put my tool.
[17:17.760 --> 17:21.080]  It's just... Have you actually made it live? Made it public?
[17:26.930 --> 17:31.410]  I'll... I'll fling it onto the... Into the track chat.
[17:31.890 --> 17:40.210]  Yeah. Oh, there's lots of chats. I'm very confused about where it is.
[17:40.270 --> 17:44.890]  Yeah. I'm much of a Discord user, but... Good luck finding it. It is in the DefCon
[17:44.890 --> 17:49.850]  talk tracks group. And you can either put it in track one... I found it. There you go.
[17:53.190 --> 17:58.650]  That's... That's one of the things that... When you're on a client call and you can't work out
[17:58.650 --> 18:03.210]  how the tech works, it's like... Sorry, I'm trying to work out how to get Skype working with my...
[18:03.210 --> 18:07.110]  With my audio. Please give me 10 minutes to work this out, please.
[18:12.780 --> 18:18.040]  I am running out of questions. Is there anything in particular that you want to, like, talk about
[18:18.040 --> 18:25.140]  or advocate for or anything else you want to... Any other areas of interest in the infosec world?
[18:25.140 --> 18:33.160]  Anything like that? Anything you want to share? I guess there's the thing about, like...
[18:33.160 --> 18:39.280]  I think a lot of people are like, mainframes? Why mainframes? What's the point of them?
[18:39.840 --> 18:48.780]  Yeah, it's... So, they do batch jobs incredibly, incredibly efficiently. Like,
[18:48.780 --> 18:52.600]  people are like, oh, yeah, just go cloud. It's like... Yeah, you don't... When you're trying
[18:52.600 --> 19:00.140]  to deal with, like, millions of, like, credit card transactions, it may not be the most
[19:00.140 --> 19:07.920]  cost effective to do it on, like, an AWS instance. That might be pretty expensive.
[19:08.240 --> 19:13.280]  And also, the other thing where all the code's already in, on a mainframe. So, like,
[19:14.140 --> 19:20.600]  it's going to be pretty difficult to convert your COBOL code to, I don't know, whatever that you're
[19:20.600 --> 19:24.940]  trying to convert it to. Yeah. Yeah. Any of the popular languages.
[19:27.620 --> 19:31.160]  Haka is asking about bricking the mainframe.
[19:35.240 --> 19:39.660]  I guess... With any of the things that you ever, like, play around with or do,
[19:39.660 --> 19:44.040]  do you... Is that a concern? Is that something that you have to, like, keep in your mind?
[19:46.260 --> 19:52.720]  The... There is a thing where, like, on client side that... So, when a web app,
[19:52.720 --> 19:54.840]  when you're in a testing environment, you're like, okay, I'll just
[19:55.340 --> 20:00.440]  keep throwing stuff at it. Let's see what happens. Let's see... Yeah, let's just keep
[20:00.440 --> 20:06.980]  throwing random, like, scripts at it. On a mainframe, you're like, hello, like, person,
[20:06.980 --> 20:11.200]  I'm testing this on. Can I throw this at this before I, like... I don't want to break your,
[20:11.200 --> 20:17.560]  like, your massively expensive system. Let's just make sure this is okay first.
[20:17.560 --> 20:24.700]  Like a major backbone in your organization. Can I just potentially screw it up right now?
[20:26.500 --> 20:42.280]  Yeah. So, it's... There's also the fun thing is that, like, maybe on, like, a mainframe,
[20:42.280 --> 20:48.360]  you might... The testing environment may be completely different to the actual, like,
[20:48.360 --> 20:52.740]  production environment, which is great fun, where you're like, oh, look, I found something.
[20:52.740 --> 20:59.780]  Is this a thing in your actual, like... No. Okay. Cool. That was a good, like, six hours
[20:59.780 --> 21:09.340]  looking at that. Great. Thanks. Cool. So, it seems as though that what you're doing
[21:09.340 --> 21:15.280]  is coming probably even more into demand. I'm seeing where people are looking for people that
[21:15.280 --> 21:20.800]  can program in COBOL and maintain mainframes. Is this something that you think might be an
[21:20.800 --> 21:25.920]  area that would be good for people to get into? And if so, if somebody with experience wanted to
[21:25.920 --> 21:29.940]  make the jump over, what sorts of things could they look into? How could they even get started
[21:29.940 --> 21:39.660]  in being able to support or test or work with mainframes? So, there is... So, I guess, like,
[21:39.660 --> 21:46.720]  if you're in, like, a company, you could just shadow a job. That's probably, like... There's
[21:46.720 --> 21:55.020]  also the... There is a ZOS 1.10 on Pirate Bay, which, of course, I would not be supporting.
[21:55.020 --> 22:01.820]  You know, piracy is bad and very illegal. Never do that. But if you do have that, that might be useful.
[22:02.520 --> 22:09.440]  But, yeah. So, who does still use mainframes today? Like, what industries or
[22:09.440 --> 22:14.520]  major companies, if you can say any, still make use of mainframes?
[22:15.080 --> 22:22.760]  So, basically, every bank that's big still uses mainframes there. Again, they're doing, like,
[22:22.760 --> 22:27.260]  massive batch, like, jobs. And they already have all the infrastructure already. So, they're not
[22:27.680 --> 22:31.700]  gonna... When they're, like, okay, who do we need to go... Do we need to, like... Do we want to move
[22:31.700 --> 22:37.160]  everything to the cloud? Or do we want to continue on a mainframe? The answer to that question is
[22:37.160 --> 22:44.040]  they're not going to change their entire system to get... To try and maybe... I don't even know if
[22:44.040 --> 22:50.680]  it would save money, but maybe. I don't know. And then, I guess, a lot of governments still
[22:51.200 --> 22:56.560]  use mainframes. Like, for example, I think there was a Freedom of Information request to the UK
[22:56.560 --> 23:02.620]  government about what mainframes are still in use. And one of the things that really got me was...
[23:02.620 --> 23:11.580]  So, this was to the people who do, like, the treasury, I think. And so, they were like,
[23:11.580 --> 23:16.500]  okay, here are the four mainframes that are out of date that we use. And they're, like,
[23:16.500 --> 23:23.400]  10 years old. And they also say, here are three other mainframes that are managed by Fujitsu that
[23:23.400 --> 23:30.560]  we use. So, through some research, I'm pretty certain that these are, like, 20-year-old
[23:30.560 --> 23:36.980]  mainframes that have, like, probably never, ever been looked at ever. They're just running, like...
[23:36.980 --> 23:39.820]  And I looked at them, and I was like, okay, what are the ones that are running? It's like,
[23:39.820 --> 23:45.900]  oh, these do all the customs in the UK. Huh. I bet they never want to ever change that shit ever.
[23:45.940 --> 23:50.640]  They're literally just, like, we're never changing this 20-year-old mainframe that we have.
[23:51.040 --> 23:55.940]  No one's ever looked at it. It's not even, like, it's not even an IBM mainframe. It's a
[23:57.120 --> 24:02.800]  special UK mainframe that got bought out by Fujitsu that is now running the customs in
[24:02.800 --> 24:09.680]  the UK. And I'm like, this has never been looked at. Like, even if a mainframe specialist looked
[24:09.680 --> 24:14.200]  at it, they wouldn't be able to know anything. It's, like, it's written in this weird language
[24:14.200 --> 24:19.860]  that I've never heard of. Maybe other people have heard of SCL? I don't know. Have you guys heard of
[24:19.860 --> 24:23.560]  that? I think that I've come across that in another
[24:24.100 --> 24:36.440]  DEF CON talk. Maybe. I get exposed to a lot of things. We did have another talk related to past
[24:36.440 --> 24:43.280]  talks. Cahill says, I've enjoyed various ZOS talks at DEF CON over the last few years, but I never
[24:43.280 --> 24:48.080]  hear about mainframe security otherwise. Are they a common attack target, or do they tend to go
[24:48.080 --> 24:52.260]  overlooked because of the foreignness of the platform? What does the defense side look like
[24:52.260 --> 24:57.760]  outside of the kind of audits you mentioned? I don't actually know, like, the access that...
[24:59.020 --> 25:03.220]  so it feels like the only people who would actually be able to access this are people
[25:03.220 --> 25:11.960]  who are fairly, like, sophisticated. You wouldn't have, like, just a random attacker going after a
[25:11.960 --> 25:17.400]  mainframe, because it's normally, like, hidden in their internal network. So, like, it'd probably
[25:17.400 --> 25:23.880]  be, like, a nation-state attacker, so, like, or, like, that type of, like, level. So I feel like
[25:23.880 --> 25:29.180]  if it's an attack, they wouldn't be going after financial stuff, so you wouldn't really ever see
[25:29.180 --> 25:35.680]  that it was happening, maybe? I don't know. I mean, like, there was the... oh, sorry, yeah.
[25:35.680 --> 25:41.180]  Oh, sorry, sorry. I mean, so, like, this might have been in us chatting before the actual stream
[25:41.180 --> 25:45.500]  start, but you did mention that you've, like, you found some mainframes that were just exposed
[25:45.500 --> 25:54.960]  online just by dropping something into Shodan. So, like, maybe not just a deep internal threat.
[25:56.240 --> 26:02.960]  Yeah, the majority of the ones I saw on Shodan were, like, there's actually a fun
[26:02.960 --> 26:12.180]  site that mainframe sent me about all the internet. It's just a bot that you just...
[26:12.180 --> 26:17.420]  people have sent mainframe IPs to it, and it just goes straight to the picture of the, like,
[26:17.420 --> 26:24.920]  the initial screen of it. That, I think, is a fairly fun site, but yeah.
[26:26.200 --> 26:34.460]  But yeah, so there's a couple of government ones, but a lot of them are just, like, emulated ones, but
[26:36.920 --> 26:43.060]  yeah, I think it's... I think the thing I was going to say was that, like, if a nation-state
[26:43.460 --> 26:49.100]  ever got a hold of something, it's unlikely they would ever, like, reveal themselves in that way,
[26:49.100 --> 26:53.200]  that, like, that they had got access to that. Like, it's not, like, a criminal organization
[26:53.200 --> 26:59.740]  where they'd be trying to, like, go after, like, those type of things. So, that's also a thing where
[27:00.960 --> 27:05.260]  I don't know if there was in the news recently, the owner of Pirate Bay
[27:07.020 --> 27:09.780]  hacked a mainframe. It was a while ago, but there's...
[27:11.580 --> 27:15.820]  I must have missed that one. Yeah, it was...
[27:16.940 --> 27:22.020]  But how secure are they from the inside? Would it be as simple as just being able to access
[27:22.020 --> 27:26.420]  somebody's workstation from inside to be able to get to the mainframe?
[27:26.420 --> 27:31.200]  Mainframe saying it's the Logica breach. Yeah, the Logica breach. And the fun thing about that
[27:31.200 --> 27:35.200]  one as well is that they released... well, I don't know if they released on purpose,
[27:35.200 --> 27:39.500]  but all of the, like, the court documents were released. It's on GitHub, by the way.
[27:39.500 --> 27:45.840]  So, you can see the fun tools they used to, like, to access all the... to do all the stuff.
[27:48.000 --> 27:52.020]  Mainframe says it's on WikiLeaks. So, anyone out there that's looking for more information...
[27:54.460 --> 27:59.500]  Apparently, there's a lot more data out there. This sounds pretty fascinating.
[28:00.560 --> 28:05.180]  Yeah, I was actually writing a tool, and I looked at Logica, and I was like,
[28:05.180 --> 28:13.440]  wait a minute, they did this already. I got beat out by the hackers.
[28:13.440 --> 28:17.740]  By a dump of random hacker activity. I love it.
[28:18.440 --> 28:21.040]  So, you just had to one-up them by presenting at DEF CON.
[28:21.700 --> 28:23.840]  Yeah. Yeah.
[28:24.800 --> 28:29.700]  So, we are approaching the end of the time of our QA session. Is there anything else you want
[28:29.700 --> 28:38.100]  to talk about while you still have the camera? I think I'm all topped out.
[28:40.200 --> 28:44.440]  Fair enough. Well, thank you very much for doing this Q&A session. Thank you for
[28:44.440 --> 28:48.400]  presenting to DEF CON, once again, for your first time. Really hope you come back. This
[28:48.400 --> 28:53.840]  was great content. I need to get back to Vegas at least once.
[28:54.000 --> 28:57.400]  You've got to experience in-person DEF CON as well.
[28:58.580 --> 29:02.800]  All right. Well, thank you very much, and we'll talk to you later.
